A
new
Android
banking
trojan
has
set
its
eyes
on
Brazilian
financial
institutions
to
commit
fraud
by
leveraging
the
PIX
payments
platform.
Italian
cybersecurity
company
Cleafy,
which
discovered
the
malware
between
the
end
of
2022
and
the
beginning
of
2023,
is
tracking
it
under
the
name
PixPirate.
“PixPirate
belongs
to
the
newest
generation
of
Android
banking
trojan,
as
it
can
perform
ATS
(Automatic
Transfer
System),
enabling
attackers
to
automate
the
insertion
of
a
malicious
money
transfer
over
the
Instant
Payment
platform
Pix,
adopted
by
multiple
Brazilian
banks,”
researchers
Francesco
Iubatti
and
Alessandro
Strino
said.
It
is
also
the
latest
addition
in
a
long
list
of
Android
banking
malware
to
abuse
the
operating
system’s
accessibility
services
API
to
carry
out
its
nefarious
functions,
including
disabling
Google
Play
Protect,
intercepting
SMS
messages,
preventing
uninstallation,
and
serving
rogue
ads
via
push
notifications.
Besides
stealing
passwords
entered
by
users
on
banking
apps,
the
threat
actors
behind
the
operation
have
leveraged
code
obfuscation
and
encryption
using
a
framework
known
as
Auto.js
to
resist
reverse
engineering
efforts.
The
dropper
apps
used
to
deliver
PixPirate
come
under
the
garb
of
authenticator
apps.
There
are
no
indications
that
the
apps
were
published
to
the
official
Google
Play
Store.
The
findings
come
more
than
a
month
after
ThreatFabric
disclosed
details
of
another
malware
called
BrasDex
that
also
comes
with
ATS
capabilities,
in
addition
to
abusing
PIX
to
make
fraudulent
fund
transfers.
“The
introduction
of
ATS
capabilities
paired
with
frameworks
that
will
help
the
development
of
mobile
applications,
using
flexible
and
more
widespread
languages
(lowering
the
learning
curve
and
development
time),
could
lead
to
more
sophisticated
malware
that,
in
the
future,
could
be
compared
with
their
workstation
counterparts,”
the
researchers
said.
The
development
also
comes
as
Cyble
shed
light
on
a
new
Android
remote
access
trojan
codenamed
Gigabud
RAT
targeting
users
in
Thailand,
Peru,
and
the
Philippines
since
at
least
July
2022
by
masquerading
as
bank
and
government
apps.
“The
RAT
has
advanced
features
such
as
screen
recording
and
abusing
the
accessibility
services
to
steal
banking
credentials,”
the
researchers
said,
noting
its
use
of
phishing
sites
as
a
distribution
vector.
The
cybersecurity
firm
further
revealed
that
the
threat
actors
behind
the
InTheBox
darknet
marketplace
are
advertising
a
catalog
of
1,894
web
injects
that
are
compatible
with
various
Android
banking
malware
such
as
Alien,
Cerberus,
ERMAC,
Hydra,
and
Octo.
The
web
inject
modules,
mainly
used
for
harvesting
credentials
and
sensitive
data,
are
designed
to
single
out
banking,
mobile
payment
services,
cryptocurrency
exchanges,
and
mobile
e-commerce
applications
spanning
Asia,
Europe,
Middle
East,
and
the
Americas.
But
in
a
more
concerning
twist,
fraudulent
apps
have
found
a
way
to
bypass
defenses
in
Apple
App
Store
and
Google
Play
to
perpetrate
what’s
called
a
pig
butchering
scam
called
CryptoRom.
The
technique
entails
employing
social
engineering
methods
such
as
approaching
victims
through
dating
apps
like
Tinder
to
entice
them
into
downloading
fraudulent
investment
apps
with
the
goal
of
stealing
their
money.
The
malicious
iOS
apps
in
question
are
Ace
Pro
and
MBM_BitScan,
both
of
which
have
since
been
removed
by
Apple.
An
Android
version
of
MBM_BitScan
has
also
been
taken
down
by
Google.
Cybersecurity
firm
Sophos,
which
made
the
discovery,
said
the
iOS
apps
featured
a
“review
evasion
technique”
that
enabled
the
malware
authors
to
get
past
the
vetting
process.
“Both
the
apps
we
found
used
remote
content
to
provide
their
malicious
functionality
—
content
that
was
likely
concealed
until
after
the
App
Store
review
was
complete,”
Sophos
researcher
Jagadeesh
Chandraiah
said.
Pig
butchering
scams
had
their
beginnings
in
China
and
Taiwan,
and
has
since
expanded
globally
in
recent
years,
with
a
huge
chunk
of
operations
carried
out
from
special
economic
zones
in
Laos,
Myanmar,
and
Cambodia.
In
November
2022,
the
U.S.
Department
of
Justice
(DoJ)
announced
the
takedown
of
seven
domain
names
in
connection
to
a
pig
butchering
cryptocurrency
scam
that
netted
the
criminal
actors
over
$10
million
from
five
victims.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
